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SYSTEM AND METHOD FOR CRYPTOGRAPHICALLY PROTECTING DATA 

5 CROSS-REFERENCE TO RELATED APPLICATION 

This application claims the benefit of U.S. Provisional Application No. 
60/128,164, filed on April 6, 1999. 

10 FIELD OF THE INVENTION 

The invention relates to cryptographic methods, and more particularly to systems 
and methods for protecting data files by periodically refreshing a decryption key. 

15 BACKGROUND OF THE INVENTION 

One of the most important issues impeding the widespread distribution of digital 
documents via electronic commerce is the current lack of protection of the intellectual 
property rights of content owners during the distribution and use of those digital 

20 documents. Efforts to resolve this problem have been termed "Intellectual Property 
Rights Management" ("IPRM"), "Digital Property Rights Management" ("DPRM"), 
"Intellectual Property Management" ("IPM'), "Rights Management" ("RM"), and 
"Electronic Copyright Management" ("ECM"). 

A document, as the term is used herein, is any unit of information subject to 

25 distribution or transfer, including but not limited to correspondence, books, magazines, 
journals, newspapers, other papers, software, photographs and other images, audio and 
video clips, and other multimedia presentations. A document may be embodied in 
printed form on paper, as digital data on a storage medium, or in any other known manner 
on a variety of media. 

30 In the world of printed documents, a work created by an author is usually 

provided to a publisher, which formats and prints numerous copies of the work. The 
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copies are then sent by a distributor to bookstores or other retail outlets, from which the 
copies are purchased by end users. 

While the low quality of copying and the high cost of distributing printed material 
have served as deterrents to the illegally copying of most printed documents, it is far too 
5 easy to copy, modify, and redistribute unprotected electronic documents. Accordingly, 
some method of protecting electronic documents is necessary to make it harder to 
illegally copy them. This will serve as a deterrent to copying, even if it is still possible, 
for example, to make hardcopies of printed documents and duplicate them the old- 
fashioned way. 

10 With printed documents, there is an additional step of digitizing the document 

before it can be redistributed electronically; this serves as a deterrent. Unfortunately, it 
has been widely recognized that there is no viable way to prevent people from making 
unauthorized distributions of electronic documents within current general-purpose 
computing and communications systems such as personal computers, workstations, and 
15 other devices connected over local area networks (LANs), intranets, and the Internet. 
Many attempts to provide hardware-based solutions to prevent unauthorized copying 
have proven to be unsuccessful. 

Two basic schemes have been employed to attempt to solve the document 
protection problem: secure containers and trusted systems. 
20 A "secure container" (or simply an encrypted document) offers a way to keep 

document contents encrypted until a set of authorization conditions are met and some 
copyright terms are honored (e.g., payment for use). After the various conditions and 
terms are verified with the document provider, the document is released to the user in 
clear form. Commercial products such as IBM's Cryptolopes and MerTrusf s Digiboxes 
25 fall into this category. Clearly, the secure container approach provides a solution to 
protecting the document during delivery over insecure channels, but does not provide any 
mechanism to prevent legitimate users from obtaining the clear document and then using 
and redistributing it in violation of content owners' intellectual property. 

Cryptographic mechanisms are typically used to encrypt (or "encipher") 
30 documents that are then distributed and stored publicly, and ultimately privately 
deciphered by authorized users. This provides a basic form of protection during 



2 



document delivery from a document distributor to an intended user over a public 
network, as well as during document storage on an insecure medium. 

In the "trusted system" approach, the entire system is responsible for preventing 
unauthorized use and distribution of the document. Building a trusted system usually 
5 entails introducing new hardware such as a secure processor, secure storage and secure 
rendering devices. This also requires that all software applications that run on trusted 
systems be certified to be trusted. While building tamper-proof trusted systems is still a 
real challenge to existing technologies, current market trends suggest that open and 
untrusted systems such as PC's and workstations will be the dominant systems used to 
10 access copyrighted documents. In this sense, existing computing environments such as 
PC s and workstations equipped with popular operating systems (e.g., Windows and 
UNIX) and render applications (e.g., Microsoft Word) are not trusted systems and cannot 
be made trusted without significantly altering their architectures. 

Accordingly, although certain trusted components can be deployed, one must 
15 continue to rely upon various unknown and untrusted elements and systems. On such 
systems, even if they are expected to be secure, unanticipated bugs and weaknesses are 
frequently found and exploited. 

One particular issue arises in the context of document distribution, as described 
generally above. In the traditional model of document distribution, the content author 
20 and the publisher typically do not handle distribution; a separate party with distribution 
expertise is given that responsibility. Furthermore, while it is possible to encrypt a 
document (using standard techniques) so that multiple recipients can decrypt it, it is not 
usually known at the time a work is created who the ultimate users will be. It makes 
more sense for the distributor to determine who the end users will be, and to distribute the 
25 document to them as desired. If, as in traditional model, the original work of authorship 
is sent to a publisher and a distributor in the clear, that is a point of vulnerability for the 
work. 

A similar problem arises in office settings, for example, in which it is frequently 
desirable to designate what is variously called a document agent, surrogate, or delegate. 
30 In this situation, it is often useful to be able to give an administrative assistant or 
secretary the right to decrypt certain document not intended directly for that person. 
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Considering the problem more broadly, in a networked environment, messages 
are often passed to recipients other than their initially intended ones. When message 
confidentiality is a concern and encrypted messages are forwarded, it is very desirable to 
allow one to decrypt these messages on behalf of another. To be concrete, suppose that 

5 Bob is the one who needs to read some message that is initially encrypted for Alice. One 
trivial solution is that Alice simply reveals her decryption key to Bob so that Bob can use 
it to decrypt the message himself. This requires Alice to trust Bob totally, which may not 
be acceptable to Alice. Another way to accomplish this task is to let Alice first decrypt 
the message, then re-encrypt it for Bob and finally send the newly encrypted message to 

10 Bob so that he can decrypt. Though the message is communicated securely, this solution 
is less efficient as it requires two decryption and one encryption operations in order for 
Bob to obtain the message. More importantly, in some situations such re-encryption 
solution is not even applicable or desirable. For example, Alice may not have access to 
the encrypted message, as it may be sent by its originator directly to Bob for 

15 communication efficiency and other considerations. Also, decrypting the encrypted 
message to a clear version, even if only for a short time, can be a substantial 
vulnerability. 

Accordingly, it would be desirable to have an encryption/decryption framework 
that supports the ability to transfer the right to decode messages. Such a framework 
20 would allow a delegate to, essentially, authorize the re-encryption of a message for 
another party's use without first decrypting the original message. It would also be useful 
for this to be possible without the delegate ever having possession of the encrypted 
message. 

25 SUMMARY OF THE INVENTION 

How to transfer the right to decrypt from one key holder to another in a secure 
and efficient way is the subject of proxy encryption. Some specific proxy encryption 
schemes have been recently proposed to convert messages encrypted for one key into 
30 messages encrypted for another without revealing secret decryption keys and original 
messages to the public. Mambo and Okamoto have introduced several private, non- 
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commutative, message-independent proxy encryption schemes. Blaze and Strauss have 
introduced a public, commutative, message-independent proxy encryption scheme. 

In this disclosure, the same general problem is initially addressed but in the more 
general context of encoding schemes. Encoding schemes considered in this disclosure 
differ from encryption schemes or cryptosystems in that they do not necessarily have any 
security-related requirements. For an encoding scheme to be an encryption scheme, it is 
necessary that an eavesdropper, upon seeing an encoded message, should be unable to 
determine either the original message or the key used to decode the message. Working 
with encoding schemes makes it possible to build applications with lightweight security 
but high implementation efficiency, such as efficient massive document distribution and 
updating of ciphertext with new keys to protect long-term encrypted messages. In this 
disclosure, a class of encoding schemes is defined, and several example schemes are 
given. A process by which new schemes can be constructed using existing ones is also 
offered herein. 

Several more formal proxy encryption schemes are then presented. A proxy 
encryption scheme is an encryption scheme that allows a designated key holder to 
decrypt messages on behalf of another key holder. This disclosure introduces two new 
proxy encryption schemes based on the known ElGamal scheme, with improved 
functionalities over existing proxy encryption schemes. They are public in the sense that 
proxy-related information and transformations can be safely made to the public, and at 
the same time non-commutative in terms of trust relationships among involved key 
holders. Applications of these new schemes to massive document distribution and file 
protection are also presented. 

The basic idea in the methods present in this disclosure is as follows: in order for 
Alice to transfer the right to decode to Bob, Alice generates a transfer key t for Bob. 
With the transfer key t, Bob can re-encrypt the message initially encoded for Alice and 
subsequently decrypt it using his own key. Much like in proxy encryption, the transfer is 
performed in such a way that the transfer key does not explicitly reveal the decoding keys 
of either Alice or Bob, or the original message. 

How to delegate the right to decrypt from one key holder to another in secure and 
efficient ways is the subject of proxy encryption. Very recently, some specific proxy 



encryption schemes have been proposed to convert messages encrypted for one key into 
messages encrypted for another without revealing secret decryption keys and original 
messages to the public. Mambo and Okamoto have described three proxy encryption 
schemes for the ElGamal and RSA encryption schemes. M. Mambo and E. Okamoto, 
5 "Proxy cryptosystems: Delegation of the power to decrypt ciphertexts," IEICE Trans, on 
Fundamentals, Vol. E80-A, No. 1, pp. 54-63 (1997). For the situation mentioned 
above, their schemes have better computational performance over the re-encryption 
scheme, but for security reasons require the presence of the original key holder Alice in 
the message conversion. Moreover, the schemes themselves do not help specifying who 
10 is the key holder that Alice wants to delegate the decryption right to. The scheme 
proposed by Blaze and Strauss, on the other hand, does not have these shortcomings. It is 
a modification of the ElGamal encryption scheme. M. Blaze and M. Strauss, "Proxy 
Cryptography," Draft, AT&T Research Labs, ftp://ftp.research.att.com/dist/mab/proxy.ps 
(May 1997). One very appearing feature of the Blaze and Strauss scheme is that it 
15 permits communicating proxy related information and performing the message 
conversion in public. But it introduces a more serious problem: it is commutative in the 
sense that Bob is able to obtain Alice's decryption key. This type of commutativity 
makes the proxy encryption scheme obsolete, as the entire scheme can be well simplified 
to giving Alice's key to Bob and letting Bob decrypt. Another issue (not necessarily a 
20 problem) created by this scheme is that once Bob has been granted the decryption right 
by Alice, he can decrypt all messages that are originally for Alice. This message- 
independence may be useful in some cases such as self-delegation but is not be desirable 
in many practical applications where the original key holder wants to be selective on 
which messages the delegated decryption is allowed. 
25 Accordingly, the proxy encryption schemes according to the present invention, 

which are public and non-commutative, eliminate some of the disadvantages of other 
known cryptosystems. 

In this disclosure, two new proxy encryption schemes are then introduced. They 
are all based on the ElGamal public-key encryption scheme and have comparable 
30 computational performance. Essentially, they have retained the following desirable 
features of the existing schemes: (i) public: the presence of the original key holder is not 
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required after proxy information is generated, and proxy related information and 
operations can communicated and conducted in public; (ii) non-commutative: key holders 
do not have to trust each other in regard to their private decryption keys; and (iii) 
restricted: the key holder to whom the decryption right is delegated to is specified, and 
5 the proxy information (key) is message dependent. 

Finally, delegating the right to decrypt messages is then described in the context 
of the Cramer-Shoup cryptosystem, which bears some advantages over other systems. 

These and other features and advantages of the present invention are apparent 
from the Figures as fully described in the Detailed Description of the Invention. 

10 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIGURE 1 is a block diagram of an electronic document distribution system 
capable of operation according to the invention; 
15 FIGURE 2 is a block diagram illustrating the encoding operations performed 

when delegating the authority to decrypt a message in a method according to the 
invention; 

FIGURE 3 is a flow chart illustrating the general steps performed in transforming 
an encoded message for decoding by another; 
20 FIGURE 4 is a block diagram schematically illustrating the parties involved in a 

system adapted for the delegation of the authority to decrypt messages; 

FIGURE 5 is a flow chart illustrating the steps performed in a generic proxy 
encryption scheme; 

FIGURE 6 is a flow chart illustrating the steps performed in encrypting and 
25 decrypting a message according to the ElGamal cryptosystem; 

FIGURE 7 is a flow chart illustrating the steps performed in a known ElGamal- 
based proxy encryption and decryption scheme proposed by Mambo and Okamoto; 

FIGURE 8 is a flow chart illustrating the steps performed in a known ElGamal- 
based proxy encryption and decryption scheme proposed by Blaze and Strauss; 
30 FIGURE 9 is a flow chart illustrating the steps performed in a first embodiment of 

an ElGamal-based proxy encryption and decryption scheme according to the invention; 
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FIGURE 10 is a flow chart illustrating the steps performed in a second 
embodiment of an ElGamal-based proxy encryption and decryption scheme according to 
the invention; 

FIGURE 11 is a flow chart illustrating the steps performed in a document 
5 distribution scheme according to the invention; 

FIGURE 12 is a flow chart illustrating the steps performed in a file protection 
scheme according to the invention; 

FIGURE 13 is a flow chart illustrating the steps performed in encrypting and 
decrypting a message according to the Cramer-Shoup cryptosystem; and 
10 FIGURE 14 is a flow chart illustrating the steps performed in an embodiment of a 

Cramer-Shoup-based proxy encryption and decryption scheme according to the 
invention. 

The Figures are more fully explained in the following Detailed Description of the 
Invention. 

15 

DETAILED DESCRIPTION OF THE INVENTION 

The invention is described below, with reference to detailed illustrative 
embodiments. It will be apparent that the invention can be embodied in a wide variety of 
20 forms, some of which may be quite different from those of the disclosed embodiments. 
Consequently, the specific structural and functional details disclosed herein are merely 
representative and do not limit the scope of the invention. 

Figure 1 represents a top-level functional model for a system for the electronic 
distribution of documents, which as defined above, may include correspondence, books, 
25 magazines, journals, newspapers, other papers, software, audio and video clips, and other 
multimedia presentations. 

An author (or publisher) 110 creates a document's original content 112 and passes 
it to a distributor 114 for distribution. Although it is contemplated that the author may 
also distribute documents directly, without involving another party as a publisher, the 
30 division of labor set forth in Figure 1 is more efficient, as it allows the author/publisher 
1 10 to concentrate on content creation, and not the mechanical and mundane functions 



8 



taken over by the distributor 114. Moreover, such a breakdown would allow the 
distributor 114 to realize economies of scale by associating with a number of authors and 
publishers (including the illustrated author/publisher 110). 

The distributor 114 then passes modified content 116 to a user 118. In a typical 
5 electronic distribution model, the modified content 116 represents an re-encrypted 
version of the original encrypted content 112; the distributor 114 first decrypts the 
original content 112 and then re-encrypts it with the user 118*s public key; that modified 
content 1 16 is customized solely for the single user 1 18. The user 1 18 is then able to use 
his private key to decrypt the modified content 1 16 and view the original content 1 12. 
10 A payment 120 for the content 1 12 is passed from the user 118 to the distributor 

114 by way of a clearinghouse 122. The clearinghouse 122 collects requests from the 
user 118 and from other users who wish to view a particular document. The 
clearinghouse 122 also collects payment information, such as debit transactions, credit 
card transactions, or other known electronic payment schemes, and forwards the collected 
15 users' payments as a payment batch 124 to the distributor 1 14. Of course, it is expected 
that the clearinghouse 122 will retain a share of the user's payment 120. In turn, the 
distributor 114 retains a portion of the payment batch 124 and forwards a payment 126 
(including royalties) to the author and publisher 1 10. In one embodiment of this scheme, 
the distributor 1 14 awaits a bundle of user requests for a single document before sending 
20 anything out. When this is done, a single document with modified content 116 can be 
generated for decryption by all of the requesting users. This technique is well-known in 
the art. 

In the meantime, each time the user 118 requests (or uses) a document, an 
accounting message 128 is sent to an audit server 130. The audit server 130 ensures that 

25 each request by the user 118 matches with a document sent by the distributor 114; 
accounting information 131 is received by the audit server 130 directly from the 
distributor 114. Any inconsistencies are transmitted via a report 132 to the clearinghouse 
122, which can then adjust the payment batches 124 made to the distributor 114. This 
accounting scheme is present to reduce the possibility of fraud in this electronic 

30 document distribution model, as well as to handle any time-dependent usage permissions 
that may result in charges that vary, depending on the duration or other extent of use. 

9 



The foregoing model for electronic commerce in documents, shown in Figure 1, is 
in common use today. As will be shown in detail below, it is equally applicable to the 
system and method set forth herein for the distribution of self-protecting documents. 

5 Proxy Encoding Schemes 

For simplicity, initially consider encoding schemes of the following type. An 
encoding system consists of four components: (i) a message space X which is a collection 
of possible messages, (ii) a key space K which is a set of possible keys, (iii) a 
10 computationally efficient encoding transformation E:KxX -» X and (iv) a 
computationally efficient decoding transformation D : KxX -> X . For each k e K , the 
encoding transformation E k : X X and decoding transformation D k : X -» X are 
injection (one-to-one) mappings on X, and they satisfy that, for every message xe X, 

D k (E k (x)) = x. 

15 Certainly, such defined encoding schemes can be varied in several ways to cover a wider 
range of ones. One is to differentiate the space of encoded messages from the one of 
original messages, and another is to consider that keys used for encoding and decoding 
are different. In terms of cryptography, the encoding schemes considered below are 
essentially private-key (or, more precisely, symmetric), endomorphic cryptosystems. 

20 Such defined encoding schemes have some advantageous properties. Given an 

encoding scheme (X, K, E, D\ each encoding transformation and its corresponding 
decoding transformation are inverse transformation of each other; that is, for each k e K , 

D k =(E k y l mdE k =(D k )'\ 
If X is a finite set, each encoding or decoding transformation is just a permutation on X. 

25 Classic, symmetric-key encryption schemes are encoding schemes. Here are 

some of them. 

XOR Scheme X. In this scheme, the message space X is the set B n of all n-bit 
binary strings for some integer n > 0, and so is the key space K. The number of possible 
messages and the number of possible keys are both 2". For each message x and each key 
30 K the encoding is 
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y = E k (x) = x®k 

and the decoding of message y is 

x = D k (y) = y@k; 

where 0 represents the bit-wise XOR (exclusive or) operation. 

5 Multiplicative Scheme M. A message in this scheme is an element in 

X = Z„ = {0, 1, .. ., n-1 } for some integer n > 0. A key is also an element a in Z n but 
satisfying gcd(a, n) = 1, where the "gcd" function specifies the greatest common integer 
divisor of the two arguments. That is, the key space K consists of the elements in the 
multiplicative group Z*„ ={aeZ n \ gcd(a,n) = 1} . The encoding of a message x with a 

10 key a is 

y-E a (x) = ax(mod n) 

and the decoding of a message y with a key a is 

x = D a ( y) = a~ l y(mod«) , 
where a' 1 is the multiplicative inverse of a modulo n; that is, a' 1 is an element in Z„ such 
15 that afl ^mod n) = a _1 a(mod n) = 1. Note that the condition on a, gcd(a, ri) = 1, is used to 
guarantee that a has the inverse d\ It is known that the number of such as is equal to the 
value of the Euler phi-function 

m 

0(n)=n^'-^" 1 ) 

1=1 

where 

m 

20 »=n^ 

i-l 

is the prime decomposition of n. So the number of keys in the scheme M is 0(n) . 

Shift Scheme S. Messages and keys of the shift scheme are all elements in 
Z„ = {0, 1, n-1} for some integer n > 0; that is, X = K= Z„. Thus, the number of 
messages and the number of keys in the shift scheme are all equal to n. To encode a 
25 message x with a key b, one calculates 

y = E b (x) =x + b (mod n) 
and to decode a message y with b, one computes 

x = D b (y) =y-b (mod n) . 
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Substitution Scheme P. This scheme is also defined over X = Z*. However, the 
key space K = U n consists of all permutations of elements in Z rt . Thus, the total number 
of keys is n!. For each permutation p e U n , the encoding is 

y = E p (x)=p(x), 

while the decoding is 

x = D&)=p l <y) 9 
where p~ l is the inverse permutation of p. 

It should be noted that the multiplicative and shift schemes are special cases of the 
substitution scheme which include only <j>{n) and n of the n\ possible permutations of n 

elements, respectively. 

New encoding schemes can be constructed by combining existing ones. One way 
is to form their "product." Suppose S and S' are two encoding schemes with the same 
message space X. The product of S and S\ denoted by SxS\ has the same message 
space X. A key of the product scheme has the form (fc, k% where k and k 1 are keys of S 
and 5', respectively. The encoding and decoding transformations of the product 
scheme are defined as follows: for each key (k, k') e K , 

and 

D, kX) {x) = D k {D[\c)). 
That is, the message x is first encoded with E k , and the resulting message is then "re- 
encoded" with E k -. Decoding is similar, but it is done in the reverse order. 

It is straightforward to check that the product construction is always associative: 
(5 x 5') x 5* = 5 x (5'x S*) . If an encoding scheme S is taken to form the product 
with itself, one obtains the scheme 5x5, denoted by S 2 . If the w-fold product is taken, 
the resulting scheme, denoted by 5", is called an iterated encoding scheme. 

A simple example to illustrate the definition of product encoding schemes is as 
follows. 

Affine Scheme A. This scheme is also defined over X = Z„. A key of the affine 
scheme is a pair of integers (a, b) in Z„, where gcd(a, n) = 1. The encoding 
transformation is 
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y = E(a, b)(x) = {ox + b) (mod n) 
and the decoding transformation is 

x = *)(y) = a _1 (y- b) (mod n) 
where a' 1 is the modular inverse of a modulo n. These transformations of the type ax + b 

5 are usually called affine transformations, hence the name affine scheme. Note that the 
scheme A reduces to the multiplicative scheme M when b = 0 and the shift scheme S 
when a = 1. Thus, M and 5 are special cases of A. On the other hand, A is their product 
MxS . As seen before, a key in the multiplicative scheme M is an element fleZ*; the 
corresponding encoding transformation is E a (x) = ox (mod n). A key in the shift scheme 

10 is an element beZ n , and the corresponding encoding transformation is 
E b (x) = x + b (mod ri). Hence, a key in the product scheme MxS has the form 
(a,b) € Z* xZ n , and its encoding is 

£(a, b)(x) = EriEJd) = ax + b (mod n) . 

This is precisely the definition of the encoding transformation in the affine scheme. 
15 Similarly, the decoding transformation in the affine scheme is the composition of the 

decoding transformations of the shift and multiplicative schemes. 

The objective of transferring the right to decode messages in any given encoding 

scheme (X,K,E,D) can be stated as follows: for any given message xe X and keys 

fc, fc'e K , convert in some efficient way the encoded message y = E k (x) using the key k 
20 into the encoded message y' = E k {x) using the key k f so that the new message / can be 

decoded correctly using the key k\ If this can be achieved, it is said that the right to 

decode the message y has been transferred or delegated from the key holder of k to the 

key holder of k\ 

Figure 2 illustrates the transformation it 210 that is needed to achieve the 
25 objective. The thick lines 212, 214, and 216 representing transformations £ fo tt, and IV, 
respectively, form a sequence of steps that encodes a message x with one key k 9 converts 
the encoded message into the other one encoded with another key k\ and decodes the 
message using the key k\ The thin lines 218 and 220, representing the transformations 
E k < and D kj respectively, show other possible encoding and decoding operations that may 
30 be performed. 
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In many cases, the key space K of an encoding scheme is not merely a set. 
Equipped with some operation K may possess some mathematical structure. For 
instance, the key spaces of all the example schemes given in the previous section can be 
equipped with some operations to become mathematical groups. Table 1, below, shows 
5 some of these operations, where ° stands for the composition operator of permutations 
and 

•rCZ'.xZJxCZ'.xZJ-^Z'.xZ. 

is defined as 

{a,b)*{a,b') = (aa(modn),ab+b'(modn)) . 
10 Table 1 



Scheme 


Key Space 


Operation 


X 




e (xor) 


M 


z; 


x (mod n) 


S 


z n 


+ (mod ri) 


P 


n n 


° (composition) 


A 


z>z B 


* (defined above) 



When the key space K of an encoding scheme (X, K, E, D) is a group with some 
operation the encoding and decoding transformations may be uniquely determined by 
the keys. This happens when the key space K is isomorphic, as a group, to the 
15 transformation groups E = {E k \ k e K) and D = {D k I k e K} formed by the encoding 
and decoding transformations on the message space X; that is, for any fe, k'e K , 

D k =(E k y l =E k + and E^E^^E^ 

and 

E k = (D k y l = D k _ x and D k o D k , = D kk , , 

20 where ° is the composition operator of the transformations, which is defined as, for 
example, 

E k oE k ,(x) = E k ,(E k (x)) 

for all jce X. 

It can be easily checked that all the schemes given in Table 1 above are key- 
25 determined. Key-determined encoding schemes permit a systematic way to transfer the 
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right to decode messages from one key holder to another. With the isomorphism between 
the key space and the transformation groups, the composition of the decoding 
transformation with one key k and the encoding transformation with another key k' can 
then be viewed as the encoding transformation determined by the composed key k~ l * k. 
5 Let (X, K, £, D) be a key-determined encoding scheme. Suppose y = E k (x) is the encoded 
version of the message xe X with the key ke K. The right to decode the encoded 
message of x can be transferred from the key holder of k to the key holder of k f in the 
two-step algorithm shown in Figure 3. 

First, generate a transfer key t = k A -k (step 310). Then encode the message with 
10 the transfer key t according to y' = E t (y) (step 3 12). 

The algorithm is correct thanks to the property of the key space being isomorphic 
to the encoding and decoding transformation groups. The correctness can be verified as 
follows: 

D k ,(y') = D k ,(E t (y)) 

= D k ,(E k ,(E k Ay))) 
= E k ,(y) 

= D k (y) 
= D k (E k (x)) 
= x 

15 The generality of the algorithm makes it immediate to derive the transference 

steps for the example schemes set forth above. Referring again to Figure 3, for the XOR 
Scheme X over B„, to convert y = E k (x) to ? = Et£x\ first generate a transfer key 
* = fc0fc'(step 310). Then encode the message with the transfer key t according to 
y' = y@t (step 312). 

20 For the Multiplicative Scheme M over Z* , to convert y = E a (x) to y' = E a (x), first 

generate a transfer key t = a'a 1 (mod n) (step 310). Then encode the message with the 
transfer key t according to / = ty (mod n) (step 312). 

For the Shift Scheme S overZ„ , to convert y = E b (x) to y' = E b {x), first generate a 
transfer key t = V - b (mod n) (step 310). Then encode the message with the transfer key 

25 t according to y' = y + 1 (mod n) (step 3 12). 
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For the Substitution Scheme P over II rt , to convert y = E p (x) to / = E p {x\ first 
generate a transfer key t ~p l ° p' (step 310). Then encode the message with the transfer 
key t according to / = t(y) (step 312). 

As will be described below, it is also possible to transfer the right to decode in 
product schemes of not only key-determined encoding but also commuting schemes. In 
order to define commuting schemes, it is necessary to characterize encoding schemes that 
are essentially equivalent. Suppose that S = (X, E, D) and S' = (X, K\ E\ D') are two 
encoding schemes with the same message space X. S is said to be equivalent to S\ 
denoted by S = S\ if there is a bijective (one-to-one and onto) mapping h \K^>K f such 
that for each message xeX and for each key k e K , 

E k (x) = E' h(k) (x) 

and 

D k ix) = D' hm {x). 

Clearly, the scheme equivalence relation = is an equivalence relation; that is, it satisfies 
that, for any encoding schemes S, S\ 5", the following hold: (i) S = S\ (ii) S = S' implies 
S' = 5; and (iii) S = S' and S f = S" imply S = S". Thus, equivalent encoding schemes form 
an equivalence class in that each scheme in the class provides no more and no less 
functionality than any others in the class. 

The scheme equivalence relation allows one to characterize encoding schemes in 
several ways. An encoding scheme S is said to be idempotent if S 2 = S. Many of the 
encoding schemes are idempotent, including the XOR, multiplicative, shift, substitution, 
and affine schemes. If a scheme S is idempotent, then there is no point in using the 
product scheme S 2 , as it requires an extra key but provides no more functionality. 

Another characterization on encoding schemes using the scheme equivalence 
relation = is that of commuting schemes. Two encoding schemes S and S' are said to 
commute if S x S' = S'x 5 . Trivially, any scheme commutes with itself. A not-so-trivial 
example is that of the multiplicative scheme M and the shift scheme 5. To see that they 
commute, i.e., M x 5 = S x M , one can compare the equations 

E b (E a (x)) = ax + b (mod n) 

and 
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E a (E b (x)) = ax + ab (mod n); 

and find out that the mapping 

h:K s xK M -*K M xK s 

defined by 

5 h(b, a) = (a, a l b (mod n)) 

makes the product S x M isomorphic to the product MxS. 

Product schemes of key-determined and commuting encoding schemes enjoy a 
systematic way of transferring the right to decode messages. Let S x xS 2 be the product 
scheme of two key-determined and commuting encoding schemes. Suppose that 

10 h = (h l ,h 2 ):K 2 xK l -> K Y xK 2 is the mapping that makes S 2 xS x isomorphic to 
S x x S 2 , where \ : K 2 x K x -» K x and h 2 : K 2 x K x -> K 2 . First, observe that the product 
scheme is also key-determined; the product key space K x xK 2 is a group with respect to 
the operation * defined by 

15 This is because 

= E k x ° E h(k 2f k[) ° E ^ki) ° E k> 2 

- E hMk 2 ,k[) oE h 1 {k 2 ,k[yk 2 

~ E {k x ,k 2 )*{k[X 2 ) 

Now, the right to decode the encoded message of x can be transferred from the 
key holder of k to the key holder of another key k r in the two-step algorithm shown in 
Figure 3. First, generate a transfer key t = (/^(fc" 1 ,/:" 1 k[\h 2 (k~\ky l -k')*^) (step 
20 310). Then encode the message with the transfer key t according to / = E t (y) (step 312). 

The correctness of the transference algorithm is verified by the following 
equality: 
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= D k2 oD ki oE k[ oE k ,(y) 
= E k ,oE k , 2 (x) 

where the last entity can be readily decoded using the key k f = (k' v k' 2 ) . 

The method is best illustrated with the following example, applying the affine 

cipher A over Z n . Since A = Mx5, and M and 5 are key-determined, commuting 

5 schemes, the method described above applies to the affine scheme. As seen before, it is 

the mapping h(b, a) = (a, ab) that makes SxM isomorphic to M x S . Thus, h\{b, a) = a 

and h 2 (a, b) = ab (mod n). The transfer key t from (a, fc) to (a r , Z>') can be derived as 

t = (h l (b-\a' i -a\h 2 (b-\a- 1 -a)-b') 
= (a'-a-\h 2 (b- l ,a- l *a) + b') 
= {a*a\(a'-a l )b'' l +b*) 
- (aa~ l -aa~ l b + b') 

Then, to decode y using a second key (a\b% first generate a transfer key 

A 

10 t = (aa" 1 (modn)-aa~ 1 & + fe , (modn))=(^^2)( ste P 310 )- Then encode the message 
using the transfer key t according to y 1 = t\y + 1 2 (mod n) (step 312). 

The methods presented herein for transferring the right to decode messages are 
transitive. This means that two sequential transfers from Alice to Bob and then from Bob 
to Carol are equivalent to a direct transfer from Alice to Carol. It is important to note 

15 that, in each of the example schemes, a transfer key is also a key of the scheme. 

Accordingly, two transfer keys used in the two sequential transfers can be 
combined to form a transfer key for the direct transfer. Take the affine scheme as an 
example. Let k = (a, b\ k f = (a', b% and k" = (a" 9 b") be the keys for Alice, Bob, and 
Carol, respectively. Then the transfer keys are t = (a'a~\-a'a~ l b + b') from Alice to 

20 Bob, f' = (flV" 1 ,-aa'~ x b'+b*) from Bob to Carol, and f' = (a V 1 -a "a' l b + b") from 
Alice to Carol. It is straightforward to verify that the composition of t and f as 
keys in the affine scheme yields f: 
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- ((a V" 1 ){aa x ), (a V" 1 ){-aa l b + fc') + (-a V'V + £>*)) 
= ** 

In other words, the composition of sequential transfers of the right to decode messages is 
memory-less; all the intermediate transfers will not be reflected in the overall transfer. 

It should be noted also that, for the schemes X, M, and S, the transfer key 

5 generation step is equivalent to "decoding" k r with k. Thus, the computation needed in 
the transfer is the same as the one used in the decoding-and-re-encoding method for these 
schemes. One may think that the new method shows no improvement in this efficiency 
regard, but it has been found that the transfer key is message-independent and hence 
needs to be computed only once. When the number of messages m involved in the 

10 transfer increases, this feature will cut the computation required by the re-encoding 
method by half. Moreover, the transfer key t does not leak any useful information on the 
keys k and k\ and a transfer performed according to the methods set forth herein will not 
reveal the message x These properties make the proposed method appealing when the 
security of the message x and the decoding keys k and k' is an issue during a transfer. 

15 A typical system configuration capable of carrying out the methods described 

with reference to Figure 3 (and described in further detail below) is shown in Figure 4. 
There are three relevant parties in most proxy encryption applications. An Encryptor 
410, a Grantor A 412, and a Grantee B 414. As will be recognized, the encryption, 
decryption, and other processing operations performed in the invention are facilitated by 

20 a processor (416, 418, 420) under each party's control. Each processor is equipped with 
memory (422, 424, 426) for data storage and a communication interface (428, 430, 432), 
capable of sending and receiving messages. 

Proxy Encryption Schemes 

25 

The rest of the disclosure, directed to more formal proxy encryption schemes, 
rather than encoding schemes, is organized as follows. First, a generic proxy encryption 
scheme is described and characterized according to several criteria. The several 
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following paragraphs fix set forth notation that will be used throughout the disclosure and 
recall the ElGamal public-key encryption scheme. For the purpose of comparison, this 
disclosure then lists two existing proxy encryption schemes and examines their properties 
in comparison to the present invention. Details on the two new proxy encryption 
5 schemes are then introduced, together with their security and performance analysis. 
Applications of these new schemes to massive document distribution and file protection 
are given thereafter. 

As indicated in the introduction, the goal of proxy encryption is to delegate the 
decryption right from one to another in secure and efficient ways. For the discussion that 

10 follows, it is convenient to define the roles of parties that may be involved in proxy 
encryption. Two most important roles are those of grantor and grantee. A grantor is an 
original key holder of encrypted messages who wants to delegate the decryption right to 
someone else. A grantee is a key holder designated to perform decryption on behalf of a 
grantor and thus act as grantor's decryption proxy. In the motivating example in the 

15 introduction, Alice is the grantor while Bob is the grantee. Other roles may include an 
encryptor who is an one that originally encrypts messages for the grantor, and a 
facilitator who may help to perform some message processing tasks, such as 
transforming messages encrypted for the grantor into messages encrypted for the grantee. 
Certainly, it is not necessary that all these roles are played by different parties. For 

20 example, a party may play roles of the grantor and facilitator, as in the Mambo and 
Okamoto schemes discussed below. 

With these roles in place, a proxy encryption scheme is just a description of how a 
grantee, possibly with some aid from a facilitator, delegates a grantee the right to decrypt 
messages originally generated by an encryptor for the grantee. A proxy encryption 

25 scheme may consist of four generic steps: message encryption, proxy key generation, 
proxy transformation and message decryption. These steps will be described in further 
detail below, with reference to Figure 5. 

1. Message encryption E: The encryptor generates an encrypted message using 
grantor's encryption key and delivers it to the grantor (step 510). 
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2. Proxy generation tc. To delegate the decryption right to the grantee, the grantor 
generates a proxy key % as a commitment token that allows the grantee to decrypt the 
message encrypted for the grantor (step 512). 

3. Proxy transformation II: When necessary, the facilitator performs a proxy 
5 transformation n, possibly using the proxy key tu, to convert the message encrypted for 

the grantor to a message encrypted for the grantee (step 514). 

4. Message decryption D: Upon receiving the transformed message and possibly 
the proxy key k, the grantee decrypts the message (step 516). 

Accordingly, it should be observed that the generic scheme above covers the two 
10 straightforward solutions to proxy encryption mentioned in the introduction. The re- 
encryption scheme is a special case where the grantor (Alice) is also the facilitator who 
actually decrypts the message and then encrypts for the grantee (Bob), and the proxy k 
can be considered as a collection of grantor's decryption key and grantee's encryption 
key, which is used only by the grantor and not by the grantee. The scheme of passing 
15 grantor's decryption key to the grantee is another special case of the generic scheme, 
where the proxy key is the decryption key and the proxy transformation is the identity 
transformation. 

However, not all schemes that can be derived from the generic one above are 
qualified as proxy encryption schemes. Intuitively, a proxy encryption scheme has to 
20 satisfy some basic requirements, namely delegation, security, transitivity and 
performance, as described below. 

Delegation. To ensure that, at the end of the message decryption step, the grantee 
is able to recover the original message correctly, the following equation must hold for 
any message m: 

25 D(U(E(m,e A ),^),d B ,7u) = m, 

where E(m,e) is an encryption function of message m under encryption key e, 
D{c,d,n) is a corresponding decryption function of encrypted message c under 
decryption key d and possibly proxy key %, TL(c,x) is the proxy function that converts 
encrypted message c according to proxy key x, and e A , e B , d A , and d B are the encryption 

30 and decryption keys of the grantor A and grantee B, respectively. 
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In addition to the correctness above, the functionality of delegation should be 
guaranteed. In one form, this means that, after the proxy key is issued and the proxy 
transformation is completed, the message decryption step should require no private 
information from the grantor, and it should be carried out solely by the grantee. In 

5 another form, this is equivalent to undeniability of the delegation from the grantor; that is, 
once the proxy key is created and proxy transformation is performed, the grantor should 
not be able to deny the delegation, without seeking other means such as preventing the 
grantee from obtaining the proxy key and receiving the transformed message. As a 
consequence of this functionality, the grantor's decryption key can be destroyed with 

10 grantee's decryption key and possibly the proxy key maintaining the ability to decrypt the 
message. (This is useful in the file protection application later in Section 6.) 

Security. In essence, a proxy encryption scheme is also an encryption scheme at 
least from the grantee's point of view. The introduction of proxy keys and 
transformations must in no way corn-promise security and privacy of the encryption. 

15 Thus, it should be at least computationally hard for any unauthorized third party to 
recover the original message and decryption keys of the grantor and grantee from 
publicly available information. 

Moreover, forging valid proxy keys by any untrusted party should be very hard. 
It must be clear, though, that generating the proxy key % requires knowledge of at least 

20 the decryption key of the grantor; otherwise the underlying encryption system is not 
secure. 

Transitivity. Naturally, the proxy relationship should be transitive. After the 
grantor delegates the decryption right, the grantee should be able to act as a new grantor 
to delegate the right further to another grantee, by just following the same scheme. 
25 Moreover, it should be possible for someone, say the first grantor, to delegate the right 
directly to a new grantee by combining all intermediate proxy keys into one proxy key 
and composing all consecutive proxy transformations into one transformation. 

Performance. As the re-encryption scheme is an intuitive, straightforward 
solution to proxy encryption and it satisfies the above delegation, security and transitivity 
30 requirements, any practically useful proxy encryption scheme should have no degradation 
in computational performance when compared with the re-encryption scheme. 
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Proxy encryption schemes may vary according to their application requirements. 
They can be categorized according to many aspects. Obvious ones include whether they 
are public-key or private-key based, and whether their security measures are perfect in 
the information theoretical sense or rely on intractability of some computational 
5 problems. The following aspects ones are related to the proxy key and transformation. 

Confidentiality. While secrecy of messages and decryption keys has to be 
enforced, secrecy of proxy keys and proxy transformations may not be a mandatory 
requirement. A scheme is called public if proxy keys it generates may be published 
without compromising its security and proxy transformations applied in untrusted 
10 environments; otherwise, the scheme is private. In a private scheme, when a proxy key is 
transferred from the grantor to the facilitator and grantee, care must be taken to protect 
the proxy key from disclosure. As a result, the proxy transformation which uses the 
proxy key must be performed in private as well. 

Commutativity. In terms of messages, the grantee must be unconditionally trusted 
15 by the grantor, since proxy encryption by definition allows the former to decrypt on 
behalf of the latter. However, the trust model may be different for their private 
information. A proxy encryption scheme is commutative if the grantor and grantee have 
to trust each other with regard to their private keys; otherwise, it is non-commutative. A 
commutative example is that the proxy key is such created that either one of the grantor 
20 and grantee can obtain other's decryption key from it. Whenever this is the case, the 
proxy encryption mechanism may be simplified to a key exchange protocol that allows 
the grantee to use grantor's decryption key to decrypt the encrypted messages directly. 

Generality. In many cases, the grantor wants to restrict the scope of the delegated 
decryption right. Often intended restrictions include that the proxy key may only be used 
25 by a designated grantee, that the proxy key may only be applicable to a specific message, 
or that the proxy transformation may only be applied by a specific facilitator. For 
example, when a proxy encryption scheme is used in some applications like key escrow, 
it would be ideal that proxy keys are independent of messages they will apply to. But for 
occasional delegation such as securely specifying inheritance in someone's will, it may 
30 be highly desirable that a proxy key can only be restricted to a designated party (e.g., a 
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grandchild), applicable to a specific message (e.g., some portion of the will) and possibly 
used in the proxy transformation by a particular party (an attorney). 

Degenerateness. When used in the extreme situation where the grantor and 
grantee are a same person with a same decryption key, a proxy encryption scheme should 
reduce to a regular encryption scheme, without introducing any complications (such as 
non-trivial proxy keys and transformations, and the requirement of an extra facilitator). 

As will be shown below, the Mambo and Okamoto schemes are private and non- 
commutative. Proxy keys in their schemes can be either message-independent or 
dependent but are not restricted to designated grantees. The Blaze and Strauss scheme is 
just opposite: it is public but commutative, and its proxy keys are message-independent 
but uniquely associated with designated grantees. In comparison, the schemes according 
to the invention set forth herein are public and non-commutative, and their proxy keys are 
message-dependent and restricted to designated grantees. 

Proxy Encryption Using the ElGamal Crvptosvstem 

As the proxy encryption schemes discussed below in this disclosure will all be 
based on discrete logarithms in multiplicative groups, a formal setting which is common 
to all these encryption schemes is hereby adopted. The notation used herein recalls the 
ElGamal encryption scheme. Encryption schemes based on discrete logarithms are 
particularly advantageous because of their technical advantages over RS A-type schemes 
and their natural generalizations to many finite groups such as elliptic curve groups over 
finite fields. 

As set forth above, for any natural number n, let Z n = {0,l,...,n-l} denote the 
ring of integers modulo n, and let Z*„ = {me Z n I gcd(m,n) = 1} denote the multiplicative 
group of Z„. Note that, when n is a prime, Z* = {l,...,n-l} . For a modulo n and a 
number a that is relatively prime to n, let a 1 denote the multiplicative inverse of a 
modulo n; that is, a" 1 is the element that satisfies aa l = l(modn) . 

An element a of Z* is said to be of order m if the number of its powers modulo n 
is m. A generator g of Z* , if it exists, is an element of order I Z* I (the size of Z* ); in 
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this case, Z* is a cyclic group. When n is a prime, every element of Z* except 1 is a 
generator of Z* . 

Let Z* be a cyclic group with a generator g. The discrete logarithm of an 
element x to the base g, denoted as log g x, is the unique integer a, 0 < a < n - 1 , such that 
5 x = g°(mod n). The discrete logarithm problem is that, given a prime p, a generator g of 
Z* p , and an element x e Z* p , find the integer a, 0 < a < p - 2 , such that g a = x(mod p) . 

A very closely related problem is the Diffie-Hellman problem: given a prime p, a 
generator g of Z* , and elements g a (modp) and /(modp), find g°Vodp). The 
discrete-logarithm problem is at least as hard as the Diffie-Hellman problem, because any 
10 solution to the former problem can be used to solve the latter problem. 

The ElGamal encryption scheme shown in Figure 6 is a part of a discrete- 
logarithm based, public-key cryptosystem proposed by ElGamal for both encryption and 
digital signature. See T. ElGamal, "A public key cryptosystem and a signature scheme 
based on discrete logarithm," IEEE Trans, on Information Theory, Vol. 31, pp. 465-472 
15 (1985). 

Referring now to Figure 6 in detail, the ElGamal scheme is set up (step 610) by 
establishing two public parameters p and g, where p is a prime (typically 512 bits in 
length), such that p-\ has a large (typically 160 bit) prime factor q (e.g., p=2q+l) and g is 
a generator in Z* . A private key for a user is set (step 612) by uniformly choosing a 
20 random number aeZ*_,. Its related public key is calculated (step 614) as 

a = g" (mod p) . The user publishes a and keeps a secret. 

To encrypt a message m to be sent to user A with public key a, a random number 
jteZ' H is uniformly chosen (step 616), and a pair of numbers (r,s), together 
representing the encrypted message to be sent to A, is calculated (step 618) as follows: 
25 r- g k (mod p) and s = ma k (mod p) . 

To decrypt the message (r,s), the recipient A recovers the message m (step 620) 
by calculating 

m = s(r a ) _1 (modp). 
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Note that the selection of the public parameters is intended to establish equation 
g p_1 (modp) = l (Fermat's little theorem). These parameters should be authentically 
known to all users. They can be chosen, say, by some trusted authority. Also, the way 
that private key a is chosen ensures that the inverse a 1 of a modulo p-l exists and is 
unique. 

Unlike the RSA public-key encryption scheme, the ElGamal scheme is non- 
deterministic, since the encrypted message also depends on the random number k. 
Indeed, it is similar in nature to the Diffie-Hellman key exchange protocol; the key 
established between the sender and receiver for encrypting and decrypting the message m 
is g ak (mod p) from r = g k (mod p) (part of the encrypted message) and a = g a (mod p) 
(the public key of A). Nevertheless, the security of the ElGamal encryption scheme relies 
on the intractability of the discrete logarithm problem and the Diffie-Hellman problem. 
To date, practice in seeking optimal algorithms for the discrete logarithm problem has not 
found any efficient (polynomial-time) solution. It is similar to the situation for the 
integer factorization problem upon which security of the RSA scheme is based. 
Moreover, it has also been shown that, for some primes p, solving the discrete logarithm 
problem is at least as hard as solving the factorization problem of a same size. This 
implies that for those ps, the ElGamal scheme is at least as secure as the RSA scheme. 

Very recently, several proxy encryption schemes have been proposed. All these 
schemes follow the generic proxy encryption scheme in delegating the decryption right: 
the encryptor sends an encrypted message to the grantor A, who then delegates the 
decryption right to grantee B by creating the proxy key, and after the proxy 
transformation is completed the grantee B finally decrypts the message. Two 
representative and known proxy encryption schemes are presented below: one from 
Mambo and Okamoto and the other from Blaze and Strauss, both of which are variations 
on the ElGamal scheme. Since they have the same scheme setup as the ElGamal scheme, 
the setup (see steps 610-614 of Figure 6 above) is omitted from the presentation. 

Mambo and Okamoto have proposed three proxy encryption schemes: two are 
based on the ElGamal scheme and the other is based on the RSA scheme. The one shown 
in Figure 6 and described below is ElGamal-based and shares its basic features with the 
other two schemes. 
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Referring now to Figure 7, given a message m that needs to be sent to a grantor A 
with public key a, the message m is encrypted by uniformly choosing a random number 
Jfee Z* M (step 710) and calculating a pair of numbers (r,s) representing the encrypted 

message (step 712) as follows: 

5 r = g k (mod p) and s = ma k (mod p) . 

To delegate the decryption right to a grantee B, the grantor A creates a proxy key 
tz by uniformly choosing a random number a'e Z\_ x (step 714) and calculating 
K = afl'(mod(p-l)) (step 716). Then, A delivers the proxy key % to B (step 718) in a 
secure manner (e.g., by encrypting it with B's public key) and keeps the value of a' 

10 private. 

To allow B to decrypt the message, A calculates r' = r a 1 (mod/?) , where a' 1 is 
the multiplicative inverse of a' modulo p-1 (step 720). The pair (r', 5) is the transformed, 
encrypted message to be sent to B. 

Upon receiving the transformed message (/, s) and the proxy key jt, B decrypts 

15 the message m (step 722) by calculating m = s(r" ) -1 (mod p) . 

This proxy encryption scheme uses the encryption and decryption components of 
the ElGamal scheme, except B's private key is replaced by the proxy key ar. It is correct 
because, when using ^to decrypt the transformed message (/, s), the following holds: 
*((/)* rVod P) = ^r^'rVodp) = mg ia (g fa, )- 1 (niodp) = m . 

20 The security of this scheme is evaluated in two aspects. The complexity for 

anyone, including the grantee B, to discover grantor A's private key a based on all the 
available information is as same as the one for solving the discrete logarithm problem. 
The difficulty for anyone, even with the proxy key, to impersonate A to transform the 
encrypted message (i.e., to generate (r\ s)) is the same as the one for solving the Diffie- 

25 Hellman problem. 

This scheme has several very appealing features. First, its security implies that it 
is hard for B to recover A's private key. In this sense, there is no need for A to trust B, 
and hence the scheme is non-commutative. Second, the proxy key n generated is 
message-independent. B can use it to decrypt all the messages transformed by A. Third, 
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this scheme satisfies the transitivity requirement. Upon receiving both the proxy key jc 
and the transformed message (V, s), the delegated user B can further delegate the proxy to 
another user C, by treating tt as the private key a and (r', s) as (r, s) and repeating the 
proxy generation and transformation. Fourth, the scheme requires less computational 
efforts than the re-encryption scheme. 

However, implementing proxy encryption in the manner of this scheme has 
several shortcomings. First, the proxy key contains no information about the delegated 
grantee B; it is solely derived from grantor A's private key. Moreover, the message 
decryption performed by B does not need fl's private decryption key either. 
Consequently, the message can be recovered by anyone that gets hold of the proxy key 
and encrypted message, not necessarily B. Thus, B can ask anyone to decrypt the 
message by directly passing the proxy information. In many cases, this is not desirable; 
A should be able to specify the key holder who is to act on A's behalf. 

Second, the proxy key n has to be a secret between A and B and needs to be 
transmitted from A to B in a secure manner. As a result of jt containing no information of 
B and (V, s) being possibly communicated in public, revealing n is essentially equal to 
disclosing the message. 

Third, the proxy transformation has to be conducted by A. The value a' used in 
the transformation is a secret to A and it is vital to preventing B from knowing A's 
decryption key a. 

In short, the scheme is non-commutative and message-independent, but private 
and unable to specify the designated grantee. 

Blaze and Strauss have described another public-key proxy encryption scheme. 
As can be seen in Figure 8, the scheme is similar in structure to ElGamal encryption, but 
with the parameters used differently and the inverse of the secret used to recover the 
message. 

Turning now to Figure 8 in more detail, given a message m that needs to be sent 
to a grantor A with public key a, the message m is encrypted by uniformly choosing a 
random number k e Z*_j (step 810) and calculating a pair of numbers (r, s) representing 

the encrypted message (step 812) as follows: 

r = mg k (mod p) and s = a k (mod p) . 
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To delegate the decryption right to a grantee B, the grantor A creates a proxy key 
n by obtaining Fs private decryption key b (step 814) and computing 
K = a~ l b(mo&(p-\)) (step 816), where a' 1 is the inverse of the private key a of A 

modulo p- 1 . The proxy key ic can be made public. 
5 To use the proxy key jt to convert a message (r, s) encrypted for A to a message 

encrypted for B, the facilitator (not necessarily A, since the proxy key k is public) 
computes s = s K (mod p) (step 818). The pair (r, s 1 ) represents the transformed 
encrypted message, which can then be transmitted to B. 

To decrypt the transformed message, B computes m = r(s' b * y 1 (mod p) (step 
10 820), where b is S's private key and b' x is the inverse of b modulo p-\ . 
The scheme is correct, since in the message decryption 

s' b ~ l = g k (mod p) and m = r(g k ) _1 (mod p) . 
The scheme is secure in that the message m and secret keys a and b cannot be recovered 
from the encrypted messages and public keys. Moreover, publishing the proxy key 

15 compromises neither the message m nor the secret keys a and b. More precisely, the 
problem of recovering m from the public information (a, B, r, s, k, s 1 ) is as hard as the 
Diffie-Hellman problem. 

In contrast to the previous scheme, the last security feature makes it unnecessary 
to keep the proxy key jt private. Thus, the grantor A can publicly send n to whoever 

20 (facilitator) is to perform the proxy transformation, or can simply publish it. Moreover, 
the scheme does not require any secret from A in order to carry out the proxy 
transformation, and consequently it allows anyone, trusted or not, to perform the 
transformation and hence eliminates the necessity of A's, as well as B's, presence in the 
transformation. 

25 Also unlike the previous scheme, there is no difference to the user B between 

decrypting a regular encrypted message and decrypting a proxy transformed message. 
This elegant feature allows the user B to treat all incoming encrypted messages 
uniformly. In fact, it is possible for an untrusted facilitator or server to perform the proxy 
transformation and then forward the message to the user B. 
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In spite of these desirable features, this scheme is commutative; the involved key 
holders A and B must trust one another bilaterally. B can learn A's secret key a (by 
multiplying the proxy key by b l ). In addition, the proxy key is also message- 
independent, as it is in the previous scheme, which delegates B the right to decrypt all 
5 messages encrypted for A's private key a. Accordingly, this scheme is public and 
message-independent but commutative. 

Two proxy encryption schemes according to the invention are presented herein, 
and then analyzed in regard to their security, commutativity and performance. Like the 
private proxy scheme, they are non-commutative, and at the same time, they support 
10 public proxy keys and transformations in the fashion the commutative proxy scheme 
does. However, they differ from the private and commutative schemes in that they are 
message dependent. Moreover, their overall performance is better than the ElGamal- 
based re-encryption scheme. 

Again, these schemes share the same scheme setup of the ElGamal scheme, and 
15 they assume that a grantor A delegates the decryption right to a grantee B. 

To understand how to adapt the ElGamal scheme into a proxy encryption scheme, 
it is helpful to examine some details of the ElGamal scheme. It should be noted that the r 
component of the encrypted message m is independent of the recipient A's private key a 
and public key a. As s = ma k (mod p)=mg ka (mod p) , a is only used in the s 
20 component, and a is implicitly embedded in s's exponent. Thus, it is sufficient for the 
proxy transformation to convert the message encrypted for A into the message encrypted 
for B by removing A's private key a from s and replacing it with B's private key b. In 
order to prevent B from obtaining A's private key a, the function to generate the proxy 
key must be somehow "one-way." Indeed, this can be achieved with aid of the random 
25 number k as follows: 

M = g k ^ a) (modp). 

Consequently, the proxy transformation that completes the message conversion should 
look like the following: 

s' = stf(mod p) = mg*V ( ^° (mod p) = mg kh (mod p) . 



30 



The above discussion leads to the scheme in Figure 9. It turns out that the proxy 
key and transformation satisfy the security requirement and provide desired being-public 
and non-commutativity features. 

Referring now to Figure 9, given a message m that needs to be sent to a grantor A 
5 with public key a, the message m is encrypted by uniformly choosing a random number 
ke Z*_! (step 910) and calculating a pair of numbers (r, s) representing the encrypted 
message (step 912) as follows: 

r = g k (mod p) and s = ma k (mod p) . 
To delegate the decryption right to a grantee 5, grantor A creates a proxy key % by 
10 obtaining B's authentic decryption key b (step 914) and calculating n = r b ~ a (mod p) 
(step 916). 

The message is transformed from (r, s) to (r, s r ) by calculating s' = s&(modp) 
(step 918). The message m is then decrypted by B from (r, s*) by computing 
m = s V T 1 (mod p) (step 920). 
15 Clearly, this scheme uses the message encryption and decryption steps of the 

ElGamal scheme. It is correct as the message m can be recovered from 

sV)" 1 (mod p) - s7C(r b y l (mod p) = mg ak g^Cg*)" 1 (mod p) = m . 
A nice feature of this scheme is that, not only do regular and proxy encrypted 
messages appear no different to the grantee 5, but also the scheme coincides with the 
20 ElGamal scheme when A and B are the same user with the same key; in this case, the 
proxy value % is equal to 1 and the proxy transformation is the identity transformation. 

It is easy to see that the scheme is transitive. Upon receiving the proxy 
transformed message, the grantee B can act like the grantor A to further delegate the 
decryption right to, say, another grantee C by repeating the proxy generation step with the 
25 keys b and c in place of a and b. 

Also like the commutative scheme, the proxy generation step requires both A's 
and B's private keys in order to generate the proxy key tt. As an alternative, this step can 
be carried out by anyone that is trusted by both A and B. As noted above, A's private key 
is definitely needed, as otherwise anyone can issue a proxy key to recover the message 
30 and the underlying encryption scheme is not secure. To establish and communicate B's 
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private key b, many key-exchange protocols such as the Diffie-Hellman key exchange 
may be used. As shown in further detail below, in some practical applications the 
requirement of the key b either is not a problem or can be relaxed. 

But unlike the private and commutative schemes, this scheme does not make it 
5 easy for the grantee B to decrypt messages encrypted for A other than the intended one. 
Clearly, the proxy key n contains a piece of information that is specific to the encrypted 
message m, namely, the random number k. In this sense, the proxy scheme is message- 
dependent. Moreover, the scheme is non-commutative in the sense that it is hard for B to 
discover A's private key a. This fact, together with the performance of the scheme will 
10 be established after presenting the next scheme. 

Note that, in the previous scheme, the proxy transformation only changes the s 
component of the encrypted message. Since s is the part that actually carries the 
information about the message m, the scheme may not be efficient when m is a very long 
message. For example, the proxy key generated would be as long as the message and the 
15 effort spent in the proxy transformation would be linear with regard to the length of the 
entire message. 

The scheme presented in Figure 10 tends to improve this situation. It uses the 
message encryption step of the commutative scheme in which the message m is shifted 
from s to r. Its proxy key and transformation now have no direct dependence on the 
20 message m. 

As shown in Figure 10, given a message m that needs to be sent to a grantor A 
with public key a, the message m is encrypted by uniformly choosing a random number 
ke Z* p _! (step 1010) and calculating a pair of numbers (r, s) representing the encrypted 
message (step 1012) as follows: 
25 r = mg k (mod p) and s = a k (mod p) . 

To delegate the decryption right to a grantee B, grantor A creates a proxy key % by 
obtaining B's authentic decryption key b (step 1014) and calculating 

n = (s"' 1 ) fc_a (mod p) (step 1016), where a' 1 is the inverse of a modulo p-1. 
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The message is transformed from (r, s) to (r, f) by calculating s' = sn(modp) 
(step 1018). The message m is then decrypted by B from (r, $0 by computing 
m = r ( s ,b ' 1 ) _1 (modp) (step 1020), where b' 1 is the inverse of b modulo 

This scheme is correct since 

/■(**" r 1 (mod p) = r{(sK) b ~ l ) _1 (mod p) 

= r{(s{s a ~ l ) b - a f l y l (mod p) 
= r((g ka g k(b - a) f i r\™dp) 
5 =r((g to ) fe "')- 1 (modp) 

= mg*(g*) _1 (modp) 
= m 

Other properties of this scheme can be verified in the same way as the previous scheme. 

Due to their similarity in nature, only the first of the two new schemes is analyzed 
in this section in regard to its security and non-commutativity. An almost same 
discussion can be carried out for the second scheme. In addition, though the first scheme 
10 (as well as the second scheme) is transitive and its security may involve more than two 
key holders, the analysis to be given only considers the two-key-holder case; the general 
case is also similar. For presentation clarity, the phrase "(mod p)" will be omitted in this 
subsection; its occurrence should be clear from context. 

Recall that, other than the scheme parameters (p, g), the public information 
15 available from the scheme includes 

a=g\ P = g\ r = g\ s = mg"\ n = g^ a \ s=mg bk . 
For the reasons set forth below, the scheme is computationally secure. It is hard 
to recover the message m and secret keys a and b from the public information, provided 
that the Diffie-Hellman and discrete-logarithm problems are hard to solve. Since the 
20 proxy key is part of the public information, this implies publishing it compromises 
neither the message nor the secret keys. A consequence of this is that it is also hard for 
anyone to forge a valid proxy key in a systematic manner. Beyond that, the scheme is 
shown to be non-commutative in the sense that even with S's private key, it is still hard 
to recover A's private key. If the proxy key is indeed generated by a third party trusted 
25 by both A and B, this fact implies that it is not necessary for B to trust A either. This is a 
significant improvement over the commutative scheme. 
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Moreover, as stated above, the proxy encryption schemes of the invention are 
more efficient than re-encrypting a message. Below, in Table 2, is the performance of the 
two proxy encryption schemes according to the invention described herein compared 
with the re-encryption scheme using the ElGamal algorithm, in terms of the amount of 
5 computation they require. In Table 2, the numbers of multiplication operations, 
exponentiation operations, and inversions, all performed modulo /?, are listed for these 
schemes. 



Table 2 



Operations 


Re-Encryption 


First Scheme (Fig. 9) 


Second Scheme (Fig. 10) 


mult. 


exp. 


inv. 


mult. 


exp. 


inv. 


mult. 


exp. 


inv. 


Encryption 


Kx2) 


2(x2) 


0(x2) 


1 


2 


0 1 


2 


0 


Proxy Key Gen. 








0 


1 


0 


0/1 


2/1 


1/0 


Transformation 








1 


0 


0 


1 


0 


0 


Decryption 


Kx2) 


Kx2) 


l(x2) 


1 


1 


1 


1 


1 


2/1 


Total 


4 


6 


2 


3 


4 


1 


3/4 


5/4 


3/1 



10 Note that the total number of operations for re-encryption using the ElGamal 

scheme is twice the number of operations for a single ElGamal encryption and 
decryption, since the message must first be encrypted, then decrypted, then re-encrypted, 
then re-decrypted. Moreover, the computation in the second scheme can be optimized by 
(i) pre-computing the inverses a 1 and b~ l in the scheme setup step and (ii) multiplying the 

15 two exponential components (modulo (p-1)) in the proxy generation step instead of using 
two exponentiations. The second set of numbers under the second scheme result from 
this optimization. Overall, the inventive proxy encryption schemes presented herein have 
better performance than the simple, ElGamal-based re-encryption scheme. 

20 A pplications 

Public and non-commutative proxy encryption schemes provide a key mechanism 
for implementing a wide range of applications. Massive document distribution and file 
protection are two key motivations for this disclosure. These applications correspond to 
25 two typical situations for proxy encryption. The former is related to the case where the 
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grantor is the one who encrypts the message at the first place, while the latter is to self- 
delegation in which the grantor and grantee are the same key holder but with different 
keys. 

Again, note that a document refers to any digital file whose content could text, 
5 graphics, audio, video, executable or even multi-media. Usually, a document is large in 
size, even after compression. Because public-key algorithms tend to be very slow when 
compared with conventional private-key algorithms such as DES, IDEA and RC4, and 
private-key algorithms require establishing secret keys to begin with, the most practical 
approach to massive and secure distribution of documents over networks is to combine 
10 the private-key and public-key encryption mechanisms. Typically, an efficient private- 
key algorithm is used to encrypt the document by using a randomly generated key, called 
the session key, and the public key for each document recipient is used to encrypt this 
session key. Recipients use their private keys to recover the secret session key and then 
use it to decrypt the document. 
15 Indeed, the above document distribution approach has the proxy encryption 

flavor; the owner encrypts the document first using a private-key scheme and then grants 
the decryption right, upon request, to its recipients via a public-key scheme. It turns out 
that, either one of the two new proxy encryption schemes can be used to combine the best 
features of the approach into a single, normal encryption scheme. 
20 Take the second scheme set forth above (Figure 10), for example. Two 

observations are in order. First, the component r of the encrypted message can be 
generated using any private-key encryption scheme with K = g k (modp) as the secret 
session key. Accordingly, the message m can be recovered in the message decryption 
step by its corresponding private-key decryption using the secret session key 
25 K' = s b ~' (mod/?) = K . In fact, the secret-key encryption scheme used in the scheme is 
r = E K (m) = mK(mod p) for encryption and m = D K > (r) = rK'~ l (mod p) for decryption. 
Another simple example is the encryption scheme based on bit-wise XOR (©). In this 
case, the computation of r and m can be replaced by 

r = E K (m) = m®K and m = D K (r)~ r® K . 
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Certainly, more sophisticated private-key encryption schemes such as DES and triple- 
DES can be employed if stronger security is needed. 

The second observation is that, if the grantor A is the one who encrypts the 
message m, then A can keep the random number k private and use B's public key 
5 = g b (mod p) , instead of £'s private key b, to generate the proxy key: 

w = (jte" 1 )*(modp), 

where a is A's public key. This eliminates the requirement for JS's private key b (or key 
exchange between A and £), and implies that B does not have to trust A, either. 

These two observations lead to the document distribution scheme shown in Figure 
10 11, which is based on the second proxy encryption scheme according to the invention set 
forth above (and in connection with Figure 10). In the scheme, a private-key encryption 
scheme is used to encrypt the message just once for all recipients, while a less expedient 
proxy-key portion is used to encrypt a small amount of information - the session key - 
customized once for each recipient. A beneficial feature of this scheme is that the 
15 encrypted document can be stored in a publicly accessible repository, and the proxy 
transformation can be performed by the document owner A, the recipient 2?, or the 
repository where the document is physically stored, depending upon the needs of real 
document management and distribution systems. 

Referring now to Figure 11, the scheme is set up the same way as a standard 
20 ElGamal scheme (see Figure 6, described above). In addition, a symmetric, private-key 
encryption scheme is selected (step 1110). Its encryption function is mH E K (m) and 
decryption function is r\-^D K (r) , where K is some private key. 

To encrypt a document m, owner A first chooses a uniformly random number 
Ice Z* p _ x (step 1112) and calculates a session key K = g k (modp) (step 1114). The 
25 encrypted document (r, s) is then calculated as follows: 

r = E K (m) and s = K a (mod p) . 
(step 1 1 16), where a is A's private key. A keeps the pair (s, k) private. 

Upon request from a recipient B for the encrypted document (r, s\ A first obtains 
B's authentic public key fi (step 1118) and retrieves k from the pair (s, k) (step 1120). A 
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then computes n B = p k s' x (mod p) (step 1 122), where s 1 is the inverse of s modulo p, as 
the proxy key for 5. 

The document is then transformed by computing s' = sn B (mod p) (step 1124); 
the pair (r, s') represents the transformed document customized for fl. 

To decrypt the customized document (r, s') and retrieve the original document m, 

5 first recovers the session key by calculating K = /* 1 (mod p) (step 1126), where b' 1 is 
the inverse of b modulo p-1. Then the document itself is decrypted by calculating 
m = D K (r) (step 1128). 

As described above, an adaptation of the present invention is also applicable to a 
file protection application. Usually, file protection in insecure systems such as laptops 
and networked hardware involves long-term encryption of files. Thus, encryption keys 
used for file encryption have much longer lifetimes than their communication 
counterparts. While a user's primary, long-term, secret key may be the fundamental 
representation of a network identity of the user, there is a danger that it might get 
compromised if it is used for many files over a long period of time. If the primary key is 
lost or stolen, not only are contents of the files encrypted with it disclosed, but also the 
user loses personal information based on the key such as credit card account, social 
security number, and so on. Therefore, it is often preferable to use an on-line method in 
which a new decryption key is derived from the primary key every time a file needs to be 
20 encrypted and gets updated on a regular basis. 

With the proxy encryption schemes set forth herein, new decryption keys can be 
generated and constantly updated through self-delegation to keep them fresh. Once a 
new key is created and a corresponding proxy key generated, the old secret key can be 
destroyed, with the new key and proxy key maintaining the ability to decrypt the file. 
25 Figure 12 shows a file protection scheme that uses a smart card to store and 

update decryption keys. It is again based on the second proxy encryption scheme 
presented herein, as illustrated in Figure 10. 

As shown in Figure 12, to encrypt a file m, a processor embedded in a smart card 

chooses a random number k e Z* _ t (step 1210) and computes 
30 r = mg k (mod p) and s = (g k ) a (mod p) 
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(step 1212), where a is the smart card's private key. The pair (r, s) represents the file m 
in encrypted form. 

Whenever necessary or desired, for example every few weeks or after a 
predetermined number of document accesses, the smart card generates another uniform 
5 random number ae Z\_ x (step 1214) and computes s' = (s a ~ l f (mod p) (step 1216), 
where a 1 is the multiplicative inverse of a modulo p-l. The encrypted file (r, s) is then 
replaced with (r, s') (step 1218), and the decryption key a is replaced with a new 
decryption key a! (step 1220). These steps 1214-1220 can be repeated as many times as 
desired. 

10 To recover the original file m from its encrypted version (r, s\ the processor on 

the smart card uses the latest decryption key a to compute m = rs al (mod p) (step 1222). 

Note that the file encryption step can start with any secret key it generates, not 
necessarily the smart card's private key. 

To keep encrypted files fresh by updating encryption data with a piece of smart- 
15 card-generated information helps to maintain single useful copies of protected files. This, 
in some sense, provides copy protection as well. Moreover, the non-commutativity of the 
scheme renders previous copies of the files useless, as the corresponding secret 
information stored in the smart card has been changed (and preferably destroyed). 

20 Proxy Encryption Using the Cramer-Shoup Crvptosvstem 

Although the foregoing examples and algorithms all employ various adaptations 
of the ElGamal cryptosystem, it should be noted that other cryptosystems can also be 
adapted by a scheme according to the invention. 

25 For example, the Cramer-Shoup public-key cryptosystem is a recently proposed 

cryptosystem that is the first practical public-key system to be provably immune to the 
adaptive chosen ciphertext attack. See R. Cramer and V. Shoup, "A Practical Public Key 
Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack," Proceedings 
of CRYPTO m Springer Verlag LNCS, vol. 1462, pp. 13-25 (1998). The adaptive 

30 chosen ciphertext attack assumes that the attacker can obtain decryptions of any chosen 
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ciphertexts other than the target ciphertext. For example, if the target ciphertext for 
which the plaintext is wanted is c, then the attacker is assumed to have access to a 
"decryption oracle" which will decrypt any ciphertext except c, including for example 
c+1, 4c, etc. RSA and ElGamal fall easily to this kind of attack. A different, but 
5 equivalent, notion of security against active attacks is called non-malleability; however, 
known non-malleable systems are not practical. 

Set forth below in Figure 13 is a description of a hash-free version of the Cramer- 
Shoup cryptosystem, the security of which is based strictly on the Diffie-Hellman 
decision problem for an arbitrary group. Thereafter, how to delegate the right to decrypt 
10 in a Cramer-Shoup scheme will be illustrated in two different situations. 

Referring initially to Figure 13, the system is set up by choosing G as a group of 
prime order q, where q is large (step 1310). The system assumes that cleartext messages 
are (or can be encoded as) elements of G, and ciphertext messages are elements of 
G 4 =GxGxGxG; that is, a ciphertext message is four times as long as its 
15 corresponding plaintext message. 

A good example of the group G is the subgroup of order q in the multiplicative set 
Z* for some large prime p = 2q+l. In this case, a message m from the set {l,...,q} can 
be "encoded" by squaring it modulo p, resulting in an element in G, and the message m 
can be recovered from its encoding by computing the unique square root of its encoding 
20 modulo p, in the set {l,...,q} . 

A key is generated as follows. First, random elements g 15 g 2 e G are chosen 
(step 1312), and random elements x x ,x 2 ,y n ,y n ,y 2X ,y 21 ,y n ,y 32 ,ze Z q are chosen (step 
13 14). Next, the group elements c = g* 1 g? , d x = g?" g* 1 , d 2 = g{ 21 gf , d 3 = gf 1 g 2 fe , 
and h = g{ are computed (step 1316). The public key is then calculated to be 
25 (g x ,g 2 ,c,d x ,d 2 ,d 3 ,h) (step 1318) and the private key is calculated to be 

(*i ,x 2 , y u , y n , y 2l , y 22 , y 3 i * ^ > z) ( ste P 132 °)- 

Given a message me G, the encryption method begins by choosing re Z q at 

random (step 1322). Then the ciphertext (u x ,u 2 ,e,v) is calculated as follows (step 1324): 

"i = 8i . M 2 = Si > e = ft™ , and v = c r d" xr d u fd" . 
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Given the ciphertext (u x ,u z ,e,v), the corresponding decryption algorithm first 
tests if v = M *i +a '»' +K ^+%i M ^+"iyi2+«2ta+% ( step 1326). If not, the decryption effort is 

1 

rejected (step 1328). Otherwise, the message m is calculated asm = e/u l z (step 1330). 

The correctness of a cryptosystem can be verified by checking that the decryption 
of an encryption of a message yields the message. In this case, since u x = g[ and 
u 2 = g 2 , one has u?u? = g 2 2 = c r . Likewise, 

M X 1 +U 1 y 1I +«2>-21+0'31 M ^2+« 1 >12+«2>'22+%2 _ J ftW ft** ft* ^ = _ 

Therefore, for the valid ciphertext, the test performed in the decryption algorithm will 
pass. 

The security of this cryptosystem relies upon the difficulty in solving the Diffie- 
Hellman decision problem. An algorithm that solves the Diffie-Hellman decision 
problem is a statistical test that can effectively distinguish the following two 
distributions: (a) random quadruples (g^g^u^uje G 4 , and (b) random quadruples 

(g 1 ,g 2 ,M 1 ,« 2 )€ G 4 , where g lf g 2 are random and u x = g[ and u 2 = g r 2 for some random 

reZ q . 

Related to the Diffie-Hellman decision problem are the Diffie-Hellman problem 
(given g, g x , and f, compute g*), and the discrete logarithm problem (given g and g x , 
compute x). Within polynomial time, the Diffie-Hellman decision problem can be 
reduced to the Diffie-Hellman problem which in turn can be reduced to the discrete 
logarithm problem. It is this relationship between the three problems that leads to the 
possibility of delegating the right to decrypt for the Cramer-Shoup system. 

Assume that someone wants to delegate the right to decrypt from a delegator 
(Alice, A) to a delegatee (Bob, B). Suppose that Alice has the public key 
(g x ,g 2 ,c,d x ,d 2 ,d 3 ,h) and the private key (x l ,x 2 ,y u ,y l2 ,y 2l ,y 22 ,y 3l ,y 32 ,z), and that 
Bob has the public key (g' l ,g' 2 ,c',d' l ,d' 2 ,d' 3 ,h') and the private key 

(x[ , x 2 , y' n , y' n , y' 21 , y' 12 , y' 3l , y 32 , z) • 

Recall, that for a given plaintext message me G, the ciphertext message for 
delegator A is M =(« 1 ,w 2 ,e,v), where u l = g[, u 2 =g 2 , e = h r m, and 
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v = c r d" ir d$ 2r d" . Similarly, if the message m is directly encrypted for the delegatee B, 
the ciphertext message is M' = (u.[,u 2 ,e,v) , where u[ = g[ r , u 2 =g' 2 r , e=h' r m, and 
v = c' r ' d[ u{r ' d'"' 1 *' d'/ r ' , where r 1 is also a random number from Z q . Note further that 

v = (cd?d?d;y and v'={c'd'*d?d'/Y . 
5 Based on the ideas set forth above, to delegate the right to decrypt from A to B 

involves generating a transfer key k, using that transfer key to transform M into Af . In 
the following, it is assumed that the components g[,g 2 of B's public key are identical to 
the components g 1? g 2 of A's public key (analogously to the ElGamal system parameters 
described above). Also, it is assumed that the random number r' is the same as r. Under 
10 these two assumptions, elements u[,u 2 of B's ciphertext message are the same as 
elements u^u 2 of A's ciphertext message. 

Referring now to Figure 14, the system is set up by choosing G as a group of 
prime order q, where q is large (step 1410). Then, as above, key is generated as follows. 
First, random elements g,,g 2 eG are chosen (step 1412), and random elements 
15 jc, , x 2 , y u , y 12 , y 2l , y 22 , y 31 , y 32 , z e are chosen (step 1414). Next, the group elements 
c = g?g? , d x = gpg? , d 2 = gpg? , d 3 = gpg? , and h = g z x are computed (step 
1416). The public key is then calculated to be (g^g^cd^d^d^h) (step 1418) and the 
private key is calculated to be (x v x 2 ,y u , y 12 , y 21 , y n , y 31 , y 32 , z) (step 1420). 

Given a message me G, the encryption method begins by choosing reZ ? at 
20 random (step 1422). Then the ciphertext (h x , w 2 , e, v) is calculated as follows (step 1424): 
«! = g[, u 2 = g 2 , e = h T m , and v = c' r d" 1 ' 'd? ' d" . 

If B's private key is available for generating the transfer key jc, that key is 
obtained (step 1426) and then % can be calculated (step 1428) as follows: 

K = {e,6,d^8 2 ,8 3 ) 

25 where 
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9 = c' r lc r = g[ x{ - x ° r g^ )r = uf^u}-* 1 
S x =di r ld\ =uf i - y "u^- yn 
8 2 =d' 2 r ld[ =uf«- yil ui»- y * 
8 x =d'f Id? =u(» e - y »u(* e - y * 

The ciphertext transformation is then 

u[ = u x , u 2 = u 2 , e = ee , and v' = \08? S 2 2 S% . 
This transforms the ciphertext (u lt u lt e t v) into (u x ,u 2 ,e,v) (step 1430). 
5 The recipient/delegatee is then able to decrypt the transformed cyphertext 

0„« 2 ,e'y). As above, the decryption algorithm first tests if 
v '_ M ^;+«|y;i + 4>2i+«'yM M ^+»;y;2+«b22+«% ( ste p 1432). If not, the decryption effort is rejected 

(step 1434). Otherwise, the message m is calculated as m = el u[ z (step 1436). 

In the case where only the public key of the delegatee B can be used for 

10 delegating the right to decrypt the message from the delegator A to B, one needs to save 
and use the random number r used initially in encrypting the message for A. This may be 
a problem where the party to generate the transfer key is not A, and may not be a problem 
if the party is, in fact, A. In any case, if it is available, the transfer key x can be generated 
using 5's public key as follows: 

15 a = (£,6,8^8^6?) 

where 

S = c' r lc r =(clc) r 

8,=d[ r id[ = {d[id x y 

8 2 =d 2 r ld r 2 =(d' 2 fd 2 Y 

8,=^* id? =(d'* id,y 

The proxy transformation is then 

u[ = u t , u" 2 = m 2 , e = ee , and v' = v68" 1 8 2 2 8 e 3 . 
20 It is straightforward to verify, in either case, that the delegatee B can use his own 

private key to decrypt the ciphertext {u' x ,u 2 ,e',v) transformed by the methods set forth 
above. Since the mechanisms used herein on the Cramer-Shoup cryptosystem are the 
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same as those used above on ElGamal-like cryptosystems, they are public and non- 
commutative, assuming the Diffie-Hellman problem and the discrete logarithm problem 
are difficult to solve. 

As described above, through enhancing common public-key encryption schemes 

5 with the proxy encryption capability, it becomes possible to support flexible designated 
decryption. This disclosure has presented two public and non-commutative proxy 
encryption schemes, which have inherited the merits of the existing schemes and 
discarded their shortcomings. The new schemes have been shown to have direct 
applications to massive document distribution and file protection. The basic idea of these 

10 new schemes has also been applied to cryptosystems of other types such as the Cramer- 
Shoup cryptosystem, enhancing them into proxy encryption schemes. 

While the various aspects of the present invention have been described with 
reference to several aspects and their embodiments, those embodiments are offered by 
way of example, not by way of limitation. The foregoing detailed description of the 

15 invention has been presented for purposes of illustration and description. It is not 
intended to be exhaustive or to limit the invention to the precise form disclosed, and 
obviously many modifications and variations are possible in light of the above teaching. 
The described embodiments were chosen in order to best explain the principles of the 
invention and its practical applications to thereby enable others skilled in the art to best 

20 utilize the invention in various embodiments and with various modifications as are suited 
to the particular use contemplated. Those skilled in the art will be enabled by this 
disclosure will be enabled by this disclosure to make various obvious additions or 
modifications to the embodiments described herein; those additions and modifications are 
deemed to lie within the scope of the present invention. It is intended that the scope of 

25 the invention be defined by the claims appended hereto. 
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What is claimed is: 

1 . A method for protecting a data file on a computer system, comprising the steps of: 
encrypting the data file using a private key to create an encrypted data file; 
generating a new key; 

updating the encrypted data file with the new key to create an updated encrypted 
data file; 

replacing the encrypted data file with the updated encrypted data file; and 
replacing the private key with the new key. 

2. The method of claim 1, further comprising the step of repeating the updating step 
and the two replacing steps on a periodic basis. 

3. The method of claim 1, further comprising the step of decrypting the encrypted 
data file with the private key, wherein the private key has been replaced by the new key, 
and wherein the encrypted data file has been replaced by the updated encrypted data file. 

4. A processor-driven system adapted to protect a data file, the system comprising: 
a processor; and 

a memory coupled to the processor for storing the data file; 
wherein the processor is programmed to perform the steps of: 
encrypting the data file using a private key to create an encrypted data file; 
generating a new key; 

updating the encrypted data file with the new key to create an updated encrypted 
data file; 

replacing the encrypted data file with the updated encrypted data file; and 
replacing the private key with the new key. 

5. The processor-driven system of claim 4, further comprising a communication 
interface. 
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6. The processor-driven system of claim 4, wherein the processor and the memory 
are included within a portable device. 

7. The processor-driven system of claim 4, wherein the processor and the memory 
5 are included within a smart card. 
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ABSTRACT 



Methods for transferring among key holders in encoding and cryptographic 
systems the right to decode and decrypt messages in a way that does not explicitly reveal 
decoding and decrypting keys used and the original messages. Such methods are more 
secure and more efficient than typical re-encoding and re-encryption schemes, and are 
useful in developing such applications as document distribution and long-term file 
protection. 
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